Cloud Assault: Uncovering Azure’s Vulnerabilities to Automated OAuth Abuse

A novel cyber threat, known as ConsentFix v3, has surfaced in underground hacker communities as an enhanced method that automates assaults on Microsoft Azure.

The initial iteration of ConsentFix was introduced by Push Security in December, offering a new approach for OAuth phishing attacks called ClickFix. This deceptive technique lures victims into completing a legitimate Microsoft login flow using the Azure CLI.

Through manipulation tactics, the attacker persuades victims to input a localhost URL containing an OAuth authorization code. This code can then be exploited to acquire tokens and compromise the account without the need for passwords, even bypassing multi-factor authentication (MFA).

Building upon Push’s concept, researcher John Hammond developed ConsentFix v2 as an evolved version that streamlines the process by replacing manual URL copying with drag-and-drop functionality. This enhancement makes the phishing scheme more seamless and persuasive.

ConsentFix v3 retains the fundamental strategy of exploiting the OAuth2 authorization code flow and targeting trusted first-party Microsoft applications that have been pre-approved.

However, the latest iteration introduces automation and scalability as key upgrades.

ConsentFix v3 Attack Strategy

According to insights gathered from hacker forums endorsing this new technique, the attack commences by confirming the presence of Azure within the target environment through validation of valid tenant IDs.

Subsequently, the attackers compile employee information such as names, roles, and email addresses to facilitate impersonation.

Next, multiple accounts are established across various services including Outlook, Tutanota, Cloudflare, DocSend, Hunter.io, and Pipedream to support phishing, hosting, data extraction, and exfiltration tasks.

Push Security experts elucidate that Pipedream, a serverless integration platform, plays a pivotal role in automating the attack, serving three crucial functions:

1. Acting as the webhook endpoint for receiving the victim’s authorization code
2. Functioning as the automation engine for promptly exchanging the code for a refresh token via Microsoft’s API
3. Serving as the central repository for real-time access to captured tokens

In the subsequent stage, the attacker deploys a phishing page hosted on Cloudflare Pages that mimics a legitimate Microsoft/Azure interface and initiates an authentic OAuth flow through Microsoft’s login endpoint.

Upon interaction with the page, the victim is directed to a localhost URL containing an OAuth authorization code, which they are deceived into pasting or dragging back into the phishing page.

This action triggers the data extraction mechanism, where the page transmits the captured URL to a Pipedream webhook, and the backend automation promptly exchanges the authorization code for tokens.

The phishing emails are highly personalized, generated from harvested data, and include malicious links embedded within a PDF hosted on DocSend to enhance credibility and evade spam filters.

In the post-exploitation phase, the obtained tokens are imported into Specter Portal, enabling the attacker to interact with compromised Microsoft environments and access resources permitted by the token, such as email, files, and other associated services.

Push Security highlights that their testing of ConsentFix v3 was conducted using personal Microsoft accounts, making it challenging to fully assess the impact, which varies based on permissions, services, and tenant configurations, among other factors.

To mitigate risks associated with ConsentFix, Push suggests that the mitigation process is complex due to the architectural trust in first-party apps. However, leveraging Family of Client IDs (FOCI) and implementing token binding to trusted devices, behavioral detection rules, and app authentication restrictions can enhance security measures.

While ConsentFix attacks have been observed in active campaigns, it remains uncertain whether the v3 variant has gained significant traction among cybercriminals.